i want to create a user for each lead provider, that if one of the username or password in the GET Request, that he calls, are not identified as a user in sugar, h will be blocked.

Does "'auth' => true" parameter does that automatically? block users that sends GET Requset with wrong user or password, as a parameter, to the entrypoint?

or does it mean the user must be logged in to sugar, which means it is always useless (how can an external user that calls an entrypoint be logged in the system?) and i need to write code in addNewLead.php file that will browse the users and check password.

My Lead provider that passes me leads, only "calls a link" which means, he is only using GET Requests. i guess that for GET Requests , i need to do the user+password check myself right? (i will receive them as parameters inside the link...